blackguard | 755cf8ab4b9d456e9a75fe22b5b54da8de5d8c125e288d96d913cacb9402fafa

Analysis

max time kernel
118s
max time network
125s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
24-02-2024 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fluxus.exe
Size

7.7MB
MD5

b467c46d660686e75e40341c0c7ff3b2
SHA1

109d3de55143ca891844ea9450c0f724a3f0a6c9
SHA256

755cf8ab4b9d456e9a75fe22b5b54da8de5d8c125e288d96d913cacb9402fafa
SHA512

1d427f295722ae3194b328e3f2ba5abba7f0ef0f30d49a9662360fb4eaaed0cdf70d841eea84b09bae99fd5d1de5de91656a238f7c03985c24b41a8e36f210b1
SSDEEP

196608:nHWp1r9qaKBgngb8KiqYy2+yrTleWDdC7P6hZ0Rxd3:nHWp1r2aq9yPlN0zmYX

Score

10^/10

blackguard spyware stealer

Malware Config

Extracted

Family

blackguard

https://api.telegram.org/bot6483219642:AAFWWWbNgdseifC8eEZUAO7r5AzREdOAdQg/sendMessage?chat_id=6282952772

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard

Executes dropped EXE 1 IoCs

pid	Process
2520	v2.exe

Loads dropped DLL 8 IoCs

pid	Process
2904	Fluxus.exe
2520	v2.exe
2520	v2.exe
2520	v2.exe
2520	v2.exe
2520	v2.exe
2520	v2.exe
2520	v2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	freegeoip.app
6	ip-api.com
2	freegeoip.app

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	v2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	v2.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2520	v2.exe
2520	v2.exe
2520	v2.exe
2520	v2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2520	v2.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2520	2904	Fluxus.exe	28
PID 2904 wrote to memory of 2520	2904	Fluxus.exe	28
PID 2904 wrote to memory of 2520	2904	Fluxus.exe	28
PID 2904 wrote to memory of 2520	2904	Fluxus.exe	28

C:\Users\Admin\AppData\Local\Temp\Fluxus.exe
"C:\Users\Admin\AppData\Local\Temp\Fluxus.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Users\Admin\AppData\Local\Temp\v2.exe
  "C:\Users\Admin\AppData\Local\Temp\v2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
548KB

MD5
552eec768f5877ce63868d0526025204

SHA1
1bd64c547d3a52e9f612b8c4ba283423ba367a2f

SHA256
f668d926238d73f086f3d36a3bdc7463a226af975eca0f4fbaa732cac250c696

SHA512
ebd502e17561fa6a5bcabf7f2e99af4756ef7292eabd9f0c2718295c543c5ce6df10af1c8730e15eadbcc122ab11920e91c4315c0042a06028b30ff275129158

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQLite.Interop.dll

Filesize
84KB

MD5
59285541367d0b44b655ad45753d9d17

SHA1
bab06007693dad3f010285e09cc79821c1ee67b8

SHA256
86ac79f2807d85435a271dac11e5d8d9d80c9e2222d3c3fedb520d1f9763ccc2

SHA512
2f3a3943b144f6d240cd9b1fb7c11ceeeefcd810aa48ab434625d932e1a7438cd45db16277f298ee8c488a2c6782fb360f4300eafe05dfb9f25ca99e0ed646f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll

Filesize
190KB

MD5
5023b716ed6497ef60884b4602145acc

SHA1
a6f81c29d9c0ffe571092d271a0b61a33125df65

SHA256
f9e052786be73bfda095f1472dcf465677e9ae0962dbcd17693f66a474400c1b

SHA512
c496e462b75e2d5f22e160523f7da3dd1a1fbcf799e6aedace8f9a37a3a6bf52a229f9d9c4b90da23e8a8872cdaf216e0b6d3d065f2474afac0b84ab2035578c

Download Submit
C:\Users\Admin\AppData\Roaming\VHwRRyFPLByDRBRFGHPZRGFC.Admin\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Roaming\VHwRRyFPLByDRBRFGHPZRGFC.Admin\Process.txt

Filesize
382B

MD5
b656a53812cce41f4e86e4083a9d3258

SHA1
7f0243cf93c5caabe4cc284f186f447a537be224

SHA256
e802a63731335d5198933c4b0ecfc9c715a2de415cbba59a6613bb2e5c6bf4ff

SHA512
28127244c0dbcbca4a4b57ec890b4c7440a063fecdc8d678df3bab5452428a52d6e882e551a8e7a0453cc7bd214c305541ce95f1194f697de81b20380a53cee7

Download Submit
\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
571KB

MD5
169b6d383b7c650ab3ae2129397a6cf3

SHA1
fcaef7defb04301fd55fb1421bb15ef96d7040d6

SHA256
b896083feb2bdedc1568b62805dbd354c55e57f2d2469a52aec6c98f4ec2dedf

SHA512
7a7a7bdb508b8bf177249251c83b65a2ef4a5d8b29397cab130cb8444b23888678673a9a2e4b1c74cc095b358f923b9e7e5a91bfa8c240412d95765851f1dd87

Download Submit
\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
471KB

MD5
ee0959e96cd69366343e65da00c7bba7

SHA1
0c1573c70e4e6120a5f154ed553abc7b3c5beff7

SHA256
40ff35ed0f8cb05389a289e34de336d39a4688ada241cf412fc9d64bffe127df

SHA512
c8d5bc0b23f521d76252e6970d01ea4b1d875f0462ddd03015125c4bd79acf4dca0f2482d4aa44a4125ffc4e47ba487d1208b1c37772a22226f72650d2771062

Download Submit
\Users\Admin\AppData\Local\Temp\SQLite.Interop.dll

Filesize
54KB

MD5
70b48b0a4020a76e154cdb04d46348da

SHA1
f24e03ef5bae7981004e1a619531b845a15bda82

SHA256
1a6c91126e8b055228cca71169cb0af3a2e5ad217ac572ce2c5aea7804560962

SHA512
479f86c179839d944f320ec8a0ce524923ba088a5f175110c15e9106d211cf5861b51f2444324aae3a5a356f34c27fd53771460b53c1d7cda2ca5ce913ec510f

Download Submit
\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll

Filesize
334KB

MD5
3d434f6422798152bb84cd8f607f02b7

SHA1
20c37acd9bca1283dbcc9368e4adf33a03ba4710

SHA256
81a252fef8ba330176c48261d386995d49425aa7438236606d56ac28f1373eca

SHA512
8261e5da51c08d34faf9774f5f8616772428a1a2d2bbab2f4a472dd6e8c75284bcc2fb2e1ce862e2d5bfce818d85ff426f5c48cfb3d2efdc3d980a8e7a0424f1

Download Submit
\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll

Filesize
410KB

MD5
056d3fcaf3b1d32ff25f513621e2a372

SHA1
851740bca46bab71d0b1d47e47f3eb8358cbee03

SHA256
66b64362664030bff1596cda2ec5bd5df48cc7c8313c32f771db4aa30a3f86f9

SHA512
ce47c581538f48a46d70279a62c702195beacbfafb48a5a862b3922625fe56f6887d1679c6d9366f946d3d2124cb31c2a3eacbbd14d601ea56e66575cdf46180

Download Submit
\Users\Admin\AppData\Local\Temp\v2.exe

Filesize
271KB

MD5
48659a7389db03a5b15080464cf2e746

SHA1
854df29ea26c0610aba91834999a3929616f2a7b

SHA256
8e1d929d82cc5bb3d4f959eabddf69e43eeac17a90986c87a1b2bf1626c62dc9

SHA512
c3759af061ed7382f16a0769e77197441a441e0b69dd3647413243cfa6f349246a3a8cea34909d6f549be78881dd4c9a91a06a01d839a68343f1859f0bb6e3c9

Download Submit
memory/2520-69-0x00000000052C0000-0x0000000005328000-memory.dmp

Filesize
416KB

Download
memory/2520-28-0x0000000005100000-0x0000000005140000-memory.dmp

Filesize
256KB

Download
memory/2520-26-0x0000000000040000-0x000000000008A000-memory.dmp

Filesize
296KB

Download
memory/2520-44-0x0000000004F60000-0x0000000004FF2000-memory.dmp

Filesize
584KB

Download
memory/2520-74-0x0000000000710000-0x0000000000730000-memory.dmp

Filesize
128KB

Download
memory/2520-27-0x00000000748E0000-0x0000000074FCE000-memory.dmp

Filesize
6.9MB

Download
memory/2520-111-0x00000000748E0000-0x0000000074FCE000-memory.dmp

Filesize
6.9MB

Download